Use this GitHub Action to scan your infrastructure-as-code (IaC) pipeline for security issues. Doing so can help you identify and remediate configuration issues before your cloud resources are deployed.
| Parameter | Description | Default | Example |
|---|---|---|---|
| api-token | (Required) The API token used to communicate with Tenable Cloud Security. Generated in the Tenable Cloud Security Console during initial GitHub Actions setup. | ||
| api-url | (Required) The URL of the Tenable Cloud Security API. The API URL varies based on the region in which your Tenable Cloud Security environment is deployed. | https://us.app.ermetic.com/ |
|
| exclude-paths | Exclude specific paths from the scan. | dev/ |
|
| exclude-policies | The IDs of any Tenable policies to exclude from the scan. This parameter is mutually exclusive with `policies` such that a value can only be entered for one of the two. You can use glob patterns as wildcards to define a range of policies. For example, exclude-policies aws-s3-* would exclude all policies related to AWS S3 buckets from the scan. |
aws-iam-role-public-access-exists-terraform |
|
| fail-on-min-severity | The minimum policy severity that should return an exit code different from 0, and fail the build workflow. If no value is defined, the workflow will not fail. Possible values: information low medium high critical |
critical |
|
| logs | Whether to print log messages to the standard workflow output. Log messages include information about the run process of the scanner and debug information, such as the number of files/lines scanned. Possible values: true false |
true |
|
| min-severity | The minimum severity of Tenable policies that you want to include in the scan. Possible values: information low medium high critical |
information |
medium |
| output-file-formats | The format/s of the report output file/s which will be exported. Possible values: csv json junit sarif |
json |
json,csv |
| output-file-name | The name of the report output file/s which will be exported. If multiple formats are selected, all files will have the same name. | results |
results |
| output-junit-test-name-prefix | Prefix for JUnit test output name. Used to create a first-level hierarchy in test results. Can be used when junit is defined as an output file format. |
Scan1 |
|
| output-path | The export path for the report output file/s. | results/ |
|
| path | The repository path that will be scanned. If left blank, the entire repository will be scanned. | prod/ |
|
| policies | The IDs of the Tenable policies that will be used to scan the repository, entered as a comma separated list. If no values are entered, all policies will be scanned. This parameter is mutually exclusive with `exclude-policies` such that a value can only be entered for one of the two. You can use glob patterns as wildcards to define a range of policies to include. For example, policies aws-s3-* would include all policies related to AWS S3 buckets in the scan. For information about how to retrieve policy ID information from the CLI, refer to Tenable Cloud Security documentation. |
aws-iam-role-public-access-exists-terraform,aws-sqs-queue-encryption-disabled-terraform |
|
| silent | Whether to print scan result content to the standard workflow output. Scan result output contains detailed information about issues found during scanning. Independent from logs. Possible values: true false |
false |
false |
| types | The IaC frameworks to scan. If no value is entered, all frameworks will be scanned. Possible values: terraform terraform-plan cloudformation |
terraform |